Over the bank holiday weekend a new Worm hit the Internet. "Sasser" attacks PC's over the Internet, unlike recent viruses such as NetSky which transmit via infected e-mails.

Sasser scans random IP addresses (for it to connect to) on TCP port 445. If it connects successfully, it then attempts to exploit the "Microsoft Windows LSASS buffer overflow vulnerability". http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Symptoms:

• PC Rebooting / Shutting Down

The following screens shots:

Afected Operating Systems:
•  Microsoft Windows 2000, SP 2, SP 3, SP 4
•  Microsoft Windows XP, SP 1

Sasser only affects Windows 2000 or Windows XP. However the updates listed below cover Operating Systems from NT 4 onwards. We recommend you update all of your PC's and Servers to cover any instances of a virus being released for these older Operating Systems.

Strategy:

Install the Microsoft patches to prevent a machine from being infected:

Visit Windows Update and make sure you are up to date with all critical updates.

If you can't get to Windows Update or just wish to patch this instance:

* Microsoft Windows NT® Workstation 4.0 Service Pack 6a
- Download the update

* Microsoft Windows NT Server 4.0 Service Pack 6a
- Download the update

* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
- Download the update

* Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4
- Download the update

* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
- Download the update

* Microsoft Windows XP 64-Bit Edition Service Pack 1
- Download the update

* Microsoft Windows XP 64-Bit Edition Version 2003
- Download the update

* Microsoft Windows Server(tm) 2003
- Download the update

* Microsoft Windows Server 2003 64-Bit Edition
- Download the update

We strongly recommend you visit Windows Update often to keep your PC's up to date.

Check details with your AV supplier site - this will include checking the version of your AV software and DAT files.

Network Associates:

• Sasser-A: http://vil.nai.com/vil/content/v_125007.htm
• Sasser-B: http://vil.nai.com/vil/content/v_125008.htm
• Sasser-C: http://vil.nai.com/vil/content/v_125009.htm
• Sasser-D: http://vil.nai.com/vil/content/v_125012.htm

Download the latest SDAT from:

http://www.networkassociates.com/uk/downloads/updates/superdat.asp

If you think that you may have infected computers please run the Avert Stinger tool:

• http://vil.nai.com/vil/stinger/

Microsoft Sasser Removal Tool:

• http://www.microsoft.com/downloads/
  details.aspx?familyid=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en

And also run the Symantec W32.Netsky@mm Removal Tool:

• http://securityresponse.symantec.com/avcenter/venc/data/
  w32.sasser.removal.tool.html

EIS recommend you patch every single computer that has access to the Internet AND to run all three tools.

Make sure all machines are running the latest anti virus updates.

These instructions are provided "as is" and without any warranty or assurance of success.

• Strategy for Removing Sasser Worm
• RM Connect / School Share update information
• Critical Hotfix for CC3
• NT 4.0 Server Hotfix 131
• Link to Microsoft's Sasser.A /.B /.C /.D Removal Tool
  

| UPDATED: 26 September 2006 | EMAIL: Support